Two new Android vulnerabilities, similar to the original Stagefright bug, can allow attackers to gain control of compromised devices when a victim views a preview of an .mp3 or .mp4 file. The two vulnerabilities, CVE-2015-6602 (in libutils) and CVE-2015-3876 (in libstagefright), can allow for a remote code execution on Android devices, leading to a privilege escalation, which can grant the attacker complete control of the compromised device. An attacker with this level of access could install malware and steal information, among other malicious actions.
Attackers can exploit these flaws by creating malicious .mp3 audio files and .mp4 video files, and enticing a user to preview a song or video on an affected Android device. While Google patched Stagefright so it no longer automatically processes crafted messages, it remains possible for attackers to exploit Stagefright through the mobile browser. The Stagefright 2.0 vulnerabilities could also be exploited through man-in-the-middle attacks and through third-party applications that still use Stagefright.
Updates for CVE-2015-6602 and CVE-2015-3876 are not currently available, but Google has noted that these issues will be patched in its October Monthly Security Update on Monday, October 5. Full details are available here. While Google plans to push updates, these updates may not make it to all affected devices because the carriers and manufacturers still have to distribute them. Google has stated that patches were provided to partners on September 10, and the company is working with OEMs and carriers to deliver the updates as quickly as possible.
It is likely that all current Android devices are vulnerable to the two new flaws. CVE-2015-6602 affects almost every Android device since version 1.0 and CVE-2015-3876 affects any device running version 5.0 or higher. However, there are no reports of these vulnerabilities being exploited in the wild.
Josh Drake of Zimperium zLab discovered the vulnerabilities and notified the Android Security Team on August 15. Zimperium has not made their proof of concept for the flaws available to the general public.
Until a patch is applied, proceed cautiously when using your mobile browser to preview unsolicited audio and video files.
Android users are advised to apply any security updates issued by their carrier or device manufacturer as and when they become available.